A secure live media boot system includes a BIOS that is coupled to a storage subsystem and a non-volatile memory system. The BIOS receives an operating system image. Prior to installing an operating system on a computing device using with the operating system image, the BIOS performs a first measurement action on the operating system image to produce a first operating system measurement that it stores in the non-volatile memory system. The BIOS also stores a read-only version of the operating system image on the storage subsystem. The BIOS subsequently receives a request to install the operating system on the computing device and, in response, performs a second measurement action on the operating system image in order to produce a second operating system measurement. If the BIOS determines that the second operating system measurement matches the first operating system measurement, the BIOS installs the operating system on the computing device.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A secure live media boot system, comprising: a chassis; a first storage subsystem that is included in the chassis and that stores an operating system image; a second storage subsystem that is separate from the first storage subsystem, that is included in the chassis, and that stores a first operating system image measurement generated from the operating system image; and an operating system image verification subsystem that is included in the chassis and that is coupled to the first storage subsystem and the second storage subsystem, wherein the operating system image verification subsystem is configured to: receive a request to install an operating system provided by the operating system image; generate, using the operating system image and in response to receiving the request, a second operating system image measurement for the operating system image; determine that the second operating system image measurement matches the first operating system image measurement; and perform, using the operating system image and in response to determining that the second operating system image measurement matches the first operating system image measurement, an installation of the operating system provided by the operating system image.
2. The system of claim 1 , wherein the operating system image verification subsystem is configured to: receive the operating system image; generate, using the operating system image, the first operating system image measurement for the operating system image; store the operating system image on the first storage subsystem; and store the first operating system image measurement on the second storage subsystem.
3. The system of claim 2 , wherein the generating the first operating system image measurement for the operating system image is performed in response to receiving the operating system image and prior to an initial installation of the operating system provided by the operating system image.
4. The system of claim 1 , wherein the operating system image is stored on the first storage subsystem as a read-only operating system image.
5. The system of claim 1 , wherein the operating system image is stored on the first storage subsystem as an encrypted operating system image, and wherein the operating system image verification subsystem is configured to: decrypt the encrypted operating system image to provide a decrypted operating system image, wherein the generating the second operating system image measurement for the operating system image includes: generating the second operating system image measurement for the operating system image using the decrypted operating system image.
6. The system of claim 1 , wherein the first operating system image measurement is stored on the second storage subsystem as an encrypted first operating system image measurement, and wherein the operating system image verification subsystem is configured to: decrypt the encrypted first operating system image measurement to provide a decrypted first operating system measurement, wherein the determining that the second operating system image measurement matches the first operating system image measurement includes: determining that the second operating system image measurement matches the decrypted first operating system image measurement.
7. An Information Handling System (IHS), comprising: a chassis; a processing system that is housed in the chassis; and a memory system that is housed in the chassis, that is coupled to the processing system, and that includes instructions that, when executed by the processing system, cause the processing system to provide an operating system image verification engine that is configured to: receive a request to install an operating system provided by an operating system image that is stored in a first storage subsystem that is housed in the chassis; generate, using the operating system image and in response to receiving the request, a second operating system image measurement for the operating system image; determine that the second operating system image measurement matches a first operating system image measurement that is stored in a second storage subsystem that is housed in the chassis and that is separate from the first storage subsystem; and perform, using the operating system image and in response to determining that the second operating system image measurement matches the first operating system image measurement, an installation of the operating system provided by the operating system image.
8. The IHS of claim 7 , wherein the operating system image verification engine is configured to: receive the operating system image; generate, using the operating system image, the first operating system image measurement for the operating system image; store the operating system image on the first storage subsystem; and store the first operating system image measurement on the second storage subsystem.
9. The IHS of claim 8 , wherein the generating the first operating system image measurement for the operating system image is performed in response to receiving the operating system image and prior to an initial installation of the operating system provided by the operating system image.
10. The IHS of claim 8 , wherein the operating system image is received via an external device connector that is included on the chassis and coupled to the processing system.
11. The IHS of claim 7 , wherein the operating system image is stored on the first storage subsystem as a read-only operating system image.
12. The IHS of claim 7 , wherein the operating system image is stored on the first storage subsystem as an encrypted operating system image, and wherein the operating system image verification engine is configured to: decrypt the encrypted operating system image to provide a decrypted operating system image, wherein the generating the second operating system image measurement for the operating system image includes: generating the second operating system image measurement for the operating system image using the decrypted operating system image.
13. The IHS of claim 7 , wherein the first operating system image measurement is stored on the second storage subsystem as an encrypted first operating system image measurement, and wherein the operating system image verification engine is configured to: decrypt the encrypted first operating system image measurement to provide a decrypted first operating system measurement, wherein the determining that the second operating system image measurement matches the first operating system image measurement includes: determining that the second operating system image measurement matches the decrypted first operating system image measurement.
14. A method for providing an operating system, comprising: receiving, by an operating system image verification subsystem included in a chassis, a request to install an operating system provided by an operating system image that is stored in a first storage subsystem that is housed in the chassis; generating, by the operating system image verification subsystem using the operating system image and in response to receiving the request, a second operating system image measurement for the operating system image; determining, by the operating system image verification subsystem, that the second operating system image measurement matches a first operating system image measurement that is stored in a second storage subsystem that is housed in the chassis and that is separate from the first storage subsystem; and performing, by the operating system image verification subsystem using the operating system image and in response to determining that the second operating system image measurement matches the first operating system image measurement, an installation of the operating system provided by the operating system image.
15. The method of claim 14 , further comprising: receiving, by the operating system image verification subsystem, the operating system image; generating, by the operating system image verification subsystem using the operating system image, the first operating system image measurement for the operating system image; storing, by the operating system image verification subsystem, the operating system image on the first storage subsystem; and storing, by the operating system image verification subsystem, the first operating system image measurement on the second storage subsystem.
16. The method of claim 15 , wherein the generating the first operating system image measurement for the operating system image is performed in response to receiving the operating system image and prior to an initial installation of the operating system provided by the operating system image.
17. The method of claim 15 , wherein the operating system image is received via an external device connector that is included on the chassis and coupled to the operating system image verification subsystem.
18. The method of claim 14 , wherein the operating system image is stored on the first storage subsystem as a read-only operating system image.
19. The method of claim 14 , wherein the operating system image is stored on the first storage subsystem as an encrypted operating system image, and wherein the method further comprises: decrypting, by the operating system image verification subsystem, the encrypted operating system image to provide a decrypted operating system image, wherein the generating the second operating system image measurement for the operating system image includes: generating the second operating system image measurement for the operating system image using the decrypted operating system image.
20. The method of claim 14 , wherein the first operating system image measurement is stored on the second storage subsystem as an encrypted first operating system image measurement, and wherein the method further comprises: decrypting, by the operating system image verification subsystem, the encrypted first operating system image measurement to provide a decrypted first operating system measurement, wherein the determining that the second operating system image measurement matches the first operating system image measurement includes: determining that the second operating system image measurement matches the decrypted first operating system image measurement.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 21, 2018
September 15, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.